diff options
author | Nicolas Lacasse <nlacasse@google.com> | 2021-08-20 17:42:52 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-08-20 17:45:33 -0700 |
commit | 0e49e0821910ae03f029d372f9244148c214cb16 (patch) | |
tree | 491ab76752cdac81083e203a0fad0678ef002638 | |
parent | 154ccbae312f5754b3497e6a296da756952d620c (diff) |
Fix lock ordering violation introduced in cl/347704347.
We cannot hold mm.aioManager.mu while calling MUnmap, because MUnmap attempts
to aquire mm.mappingMu. This violates the lock order as documented in mm/mm.go.
PiperOrigin-RevId: 392102472
-rw-r--r-- | pkg/sentry/mm/aio_context.go | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/pkg/sentry/mm/aio_context.go b/pkg/sentry/mm/aio_context.go index b7f765cd7..d71d64580 100644 --- a/pkg/sentry/mm/aio_context.go +++ b/pkg/sentry/mm/aio_context.go @@ -77,15 +77,6 @@ func (mm *MemoryManager) destroyAIOContextLocked(ctx context.Context, id uint64) return nil } - // Only unmaps after it assured that the address is a valid aio context to - // prevent random memory from been unmapped. - // - // Note: It's possible to unmap this address and map something else into - // the same address. Then it would be unmapping memory that it doesn't own. - // This is, however, the way Linux implements AIO. Keeps the same [weird] - // semantics in case anyone relies on it. - mm.MUnmap(ctx, hostarch.Addr(id), aioRingBufferSize) - delete(mm.aioManager.contexts, id) aioCtx.destroy() return aioCtx @@ -411,6 +402,15 @@ func (mm *MemoryManager) DestroyAIOContext(ctx context.Context, id uint64) *AIOC return nil } + // Only unmaps after it assured that the address is a valid aio context to + // prevent random memory from been unmapped. + // + // Note: It's possible to unmap this address and map something else into + // the same address. Then it would be unmapping memory that it doesn't own. + // This is, however, the way Linux implements AIO. Keeps the same [weird] + // semantics in case anyone relies on it. + mm.MUnmap(ctx, hostarch.Addr(id), aioRingBufferSize) + mm.aioManager.mu.Lock() defer mm.aioManager.mu.Unlock() return mm.destroyAIOContextLocked(ctx, id) |